Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-24 01:18:42 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 59

Exclude released PowerShell versions on CVE-2025-21171, all PowerShell versions on CVE-2023-48795 (#26659)

Browse source 
For #26073.

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [x] Added/updated automated tests
- [x] A detailed QA plan exists on the associated ticket (if it isn't
there, work with the product group's QA engineer to add it)
- [x] Manual QA for all new/changed functionality
This commit is contained in:
Ian Littman 2025-02-27 11:21:23 -06:00 committed by GitHub
parent d03e5893cb
commit db2778ea5a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 43 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
server/vulnerabilities/nvd/cpe_matching_rules.go
View file

@ -209,6 +209,25 @@ func GetKnownNVDBugRules() (CPEMatchingRules, error) {
return cpeMeta.Product == "visual_studio_code" && cpeMeta.TargetSW == wfn.Any
},
},
// CVE-2023-48795 in NVD incorrectly mentions PowerShell as vulnerable when the issue is actually with OpenSSH,
// which is packaged separately. It also includes a bogus resolved-in version number. See #26073.
CPEMatchingRule{
CVEs: map[string]struct{}{
"CVE-2023-48795": {},
},
IgnoreIf: func(cpeMeta *wfn.Attributes) bool {
return cpeMeta.Vendor == "microsoft" && cpeMeta.Product == "powershell"
},
},
// CVE-2025-21171 only affects RC versions of PowerShell, see https://github.com/PowerShell/Announcements/issues/72
CPEMatchingRule{
CVEs: map[string]struct{}{
"CVE-2025-21171": {},
},
IgnoreIf: func(cpeMeta *wfn.Attributes) bool {
return cpeMeta.Vendor == "microsoft" && cpeMeta.Product == "powershell" && cpeMeta.Update == ""
},
},
// Old macos CPEs without version constraints that should be ignored
CPEMatchingRule{
CVEs: map[string]struct{}{

24
server/vulnerabilities/nvd/cve_test.go
View file

@ -367,6 +367,30 @@ func TestTranslateCPEToCVE(t *testing.T) {
excludedCVEs: []string{"CVE-2024-10327"},
continuesToUpdate: true,
},
// CVE-2023-48795 false positive and true positive checks (see #26073)
"cpe:2.3:a:microsoft:powershell:7.4.3:*:*:*:*:*:*:*": {
excludedCVEs: []string{"CVE-2023-48795", "CVE-2025-21171"},
continuesToUpdate: true,
},
"cpe:2.3:a:openbsd:openssh:9.5:p1:*:*:*:*:*:*": {
includedCVEs: []cve{{ID: "CVE-2023-48795", resolvedInVersion: "9.6"}},
continuesToUpdate: true,
},
"cpe:2.3:a:openbsd:openssh:9.6:*:*:*:*:*:*": {
excludedCVEs: []string{"CVE-2023-48795"},
continuesToUpdate: true,
},
// end of CVE-2023-48795 checks
// CVE-2025-21171 handling
"cpe:2.3:a:microsoft:powershell:7.5.0:*:*:*:*:macos:*:*": {
excludedCVEs: []string{"CVE-2025-21171"},
continuesToUpdate: true,
},
"cpe:2.3:a:microsoft:powershell:7.5.0:rc.1:*:*:*:macos:*:*": {
includedCVEs: []cve{{ID: "CVE-2025-21171"}},
continuesToUpdate: true,
},
// end of CVE-2025-21171 checks
"cpe:2.3:a:jetbrains:goland:2022.3.99.123.456:*:*:*:*:macos:*:*": {
includedCVEs: []cve{{ID: "CVE-2024-37051", resolvedInVersion: "2023.1.6"}},
continuesToUpdate: true,